[Freeipa-users] Re: admin password changes when joing new replica

Thu, 21 Mar 2024 11:03:47 -0700 

Christian Heimes via FreeIPA-users wrote:
> On 21/03/2024 18.42, Rob Crittenden via FreeIPA-users wrote:
>> Schweiss, Chip via FreeIPA-users wrote:
>>> I'm building out a multisite installation. For unknown reasons, the
>>> 'admin' user password needs to be reset each time I join a new FreeIPA
>>> replica.
>>>
>>> It seems to happen a minute or two after the ipa-replica-install
>>> completes.  Attempts to kinit immediately afterward usually works.
>>>
>>> Here's my ipa-replica install command I'm using:
>>>
>>> ipa-replica-install -n {domain} -r {realm} -d \
>>>    --server={existing_ipa_server} \
>>>    --setup-adtrust --add-agents --mkhomedir \
>>>    --ntp-pool={my_ntp_pool} \
>>>    -p $otp
>>>
>>> How do I track down the cause of this?
>>
>> I don't know how this can happen and don't recall having see it before.
>> To track it down you'd need to enable the audit log in 389-ds on all
>> servers, including any newly created replica and wait for it to be
>> reset. That will show you at least what machine did so. The actual MOD
>> is probably not super interesting but who knows.
> 
> For the record, the "modifiersName" operational attribute is useless
> here. It's always the ipa_pwd_extop plugin:
> 
> $ ldapsearch -Y GSSAPI -LLL -b
> uid=admin,cn=users,cn=accounts,dc=ipahcc,dc=test modifiersName
> SASL/GSSAPI authentication started
> SASL username: ad...@ipahcc.test
> SASL SSF: 256
> SASL data security layer installed.
> dn: uid=admin,cn=users,cn=accounts,dc=ipahcc,dc=test
> modifiersName: cn=ipa_pwd_extop,cn=plugins,cn=config

I'm hoping he can correlate the time between the audit change and a
connection in the access log which should include the BIND.

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to